-
Notifications
You must be signed in to change notification settings - Fork 0
/
faq.html
184 lines (176 loc) · 12.5 KB
/
faq.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>SecretMessage beta</title>
<script>
window.TextEncoder = window.TextDecoder = null;
</script>
<script src="https://morphar.github.io/secretmessage/js/encoding.js"></script>
<script src="https://morphar.github.io/secretmessage/js/es6-promise.auto.min.js"></script>
<link rel="stylesheet" href="https://morphar.github.io/secretmessage/css/bootstrap.min.css">
<link rel="stylesheet" href="https://morphar.github.io/secretmessage/css/main.css">
</head>
<body>
<nav class="navbar sticky-top navbar-light bg-light justify-content-center">
<a class="navbar-brand" href="/">
<img src="https://morphar.github.io/secretmessage/img/logo_small.svg" height="30" class="d-inline-block align-top" alt="">
Secret Message <sup class="text-success">beta</sup>
</a>
</nav>
<main role="main" class="container faq">
<div class="row justify-content-center">
<div class="col-lg-8">
<h1>FAQ</h1>
<p>
Security, encryption and privacy is broad subjects and I could go on and on about why and how, so I will try to limit this FAQ to the most essential questions and try to point to other resources, for those who wish to understand the subject and the implications better.
</p>
<h3>Who is Secret Message for?</h3>
<hr>
<p>
Anybody who needs to send a secret or password over an insecure channel.
</p>
<h3>What is an insecure channel?</h3>
<hr>
<p>
An insecure channel is basically any form of communication, that does not:
</p>
<ul>
<li>Encrypt your message before sending it anywhere</li>
<li>Encrypt your message in a way that only you and the receiver can decrypt it</li>
</ul>
<p>
Some examples of insecure channels:
</p>
<ul>
<li>E-mail (can be made secure, but don't count on it)</li>
<li>Facebook Messenger (they even read your messages for serving ads)</li>
<li>Slack (more secure, but still have access to your messages)</li>
<li>Skype (more secure, but still have access to your messages)</li>
</ul>
<p>
The easiest way to think about this, is to remember that your unencrypted message should <strong><i>NEVER</i></strong> be copied or stored anywhere.
<br>So unless security and privacy is an explicit feature of a service, it's probably <strong><i>NOT</i></strong> secure.
<br>
<br>Some services will tell you, that your communication is encrypted, but that does not necessarily make it private, or secure for that matter.
<br>E.g. Facebook Messenger is NOT private. They keep a copy of your messages on their servers, which might even make it insecure.
<br>
</p>
<h3>Why should I care as a private person?</h3>
<hr>
<p>
You might think that you have nothing to hide, but today your identity is largely digital and hackers will try to get as many identities as possible, using software to do automatic attacks.
<br>So even if you think you are not of interest, your identity is.
<br>A lot of people use the same e-mail and password for many services, making it easy to exploit the data from a single hack, to also gain access to e-mail, Facebook, Twitter, etc.
<br>Your entire identity can be exploited to take out loans, create credit cards and amass debts.
</p>
<ul>
<li><a href="https://www.fbi.gov/news/stories/hackers-sentenced-in-identity-theft-case-032918" rel="external noreferrer noopener" target="_blank">Hackers Infiltrated Mortgage Company Computers to Steal Customer Information</a></li>
<li><a href="https://www.forbes.com/sites/laurashin/2014/11/18/someone-had-taken-over-my-life-an-identity-theft-victims-story/#a247c825beb3" rel="external noreferrer noopener" target="_blank">'Someone Had Taken Over My Life': An Identity Theft Victim's Story</a></li>
</ul>
<p>
In the worst case, it's even possible to commit crimes with your identity, which could get you arrested and even jailed.
</p>
<ul>
<li><a href="https://www.marketwatch.com/story/how-being-an-id-theft-victim-could-land-you-in-jail-2014-02-19" rel="external noreferrer noopener" target="_blank">Identity theft victim thrown in jail</a></li>
<li><a href="https://www.aol.com/article/finance/2014/02/18/identity-theft-victims-jailed/20832409/" rel="external noreferrer noopener" target="_blank">Double Trouble: Being an Identity Theft Victim Can Land You in Jail</a></li>
</ul>
<h3>Why should I care as a company?</h3>
<hr>
<p>
Besides all the new regulations like <a href="http://ec.europa.eu/justice/smedataprotect/index_en.htm" rel="external noreferrer noopener" target="_blank">GDPR</a>, there are countless reasons, but here's an incomplete and short list of what a hacker can do with the right passwords:
</p>
<ul>
<li>Gain access to all of your users data</li>
<li>Exploit your servers and services</li>
<li>Read all of your e-mails</li>
<li>Send e-mails from your address</li>
<li>Take over domain names</li>
<li>Exploit or lock you out of your 3rd party services</li>
<li>Just think: anything you can do, can be done by a hacker</li>
</ul>
<h3>Why should I use Secret Message?</h3>
<hr>
<p>
Seceret Message is better than sending your plain text secret or password over insecure channels.
<br><strong>Just remember:</strong> having the link and the pass phrase will forever enable decryption of the secret.
<br>
<br>In many cases, it would be better to use a good password manager to share secrets.
<br>Here is a couple of well-known password manager:<i> (disclaimer: I am NOT affiliated with any of them).</i>
</p>
<ul>
<li><a id="1password" href="https://1password.com/" rel="external noreferrer noopener" target="_blank">1Password</a></li>
<li><a id="lastpass" href="https://www.lastpass.com/pricing" rel="external noreferrer noopener" target="_blank">LastPass</a></li>
<li><a id="dashlane" href="https://www.dashlane.com" rel="external noreferrer noopener" target="_blank">dashlane</a></li>
<li><a id="keeper" href="https://keepersecurity.com" rel="external noreferrer noopener" target="_blank">keeper</a></li>
<!-- <li><a id="keeper" href="https://www.roboform.com" rel="external noreferrer noopener" target="_blank">RoboForm</a></li> -->
<li><a id="keepass" href="https://keepass.info" rel="external noreferrer noopener" target="_blank">KeePass</a> (open source)</li>
</ul>
<!--
<p>
I created Secret Message as a simple solution to a small but recurring problem - sharing secrets like passwords.
<br> Over the years I have seen passwords being send over e-mail, ICQ, Messenger, Skype, SMS, Slack, you name it!
</p>
<p>
Though you might think: "Nobody is interested in our password for service X", you might be wrong and in any circumstance, it is bad security practice.
<br> Oh! And you just shared your password with Slack, Google, Facebook or whoever owns the service and all of their staff with database access (Which in many cases is most of the staff).
<br>
</p>
I want to explain a misconception and why you might be wrong (skip if you don't care 😉).
<br> Many people think in the lines of: "I have nothing to hide", which disguises the real issue.
<br> No, you might not be interesting but, in case of identity, yours and 999 other peoples' identity might be interesting and can and are being misused ever single day.
<br> In case of your servers and services, information about people is in general interesting for Bad Guys<sup style="font-size:0.6em;">TM</sup>.
<br> If they can gain access to your servers or services and extract e-mail and any other informaion, they can start building up complete profiles and people, which identity can then be misused.
<br>
<br> Like it or not, security comes from thinking: all information is interesting to Bad Guys<sup style="font-size:0.6em;">TM</sup> and treating all information as sensitive, put's you in the right state of mind, when it comes to protecting information and making it secure.
<p>
</p>
<p>
Secret Message aims to solves this problem, by making it easy to encrypt a message and send it over insecure channels like those services.
</p>
<p>
"But you ask for a password! How am I gonna share that?".
<br> Excellent question!
<br> Rule number 1: Don't share that password over the same channel as you shared the secret.
<br>
</p>
<p>
"Doesn't sharing another password kinda defeat the purpose?".
<br> You are full of excellent questions!
<br> No, it does not defeat the purpose. What is accomplished by this process, is a form of 2-factor authentication:
<br> You have something: the encrypted message.
<br> You know something: the password, that the message was encrypted with.
<br> In order for anybody to get the original, encrypted password, you would need both the message and the password used to encrypt the message.
<br>
<br> The safety of the original encrypted password is now based on having to get access to the encrypted message AND the password used to encrypt the message.
<br> So the security now depends on how safely you share the encryption password.
<br>
<br> A simple rule for the safest way of sharing the encryption password:
<br> Share it in a way that doesn't leave a copy.
<br> This could be by telling the receiver face to face, what it is.
<br>
<br> A phone call comes close to being just as safe as it would be hard to listen in on that conversation or get a recording of it.
<br>
</p>
<p>
"Why bother? Why not just share the secret face to face?".
<br> That is close to just as secure, you loose the 2-factor security, but at least you don't have the password floating around on Slack's servers.
<br> One problem might be if you have to say something like this over the phone:
<br> "a, 2, capital B, q, ...", you get the idea, it's hard to get right and both sender and receiver will probably speak the entire password in a setting with other people.
</p>
-->
</div>
</div>
</main>
<footer class="footer fixed-bottom bg-light">
<div class="container justify-content-center">
<ul class="text-muted">
<li><a href="https://github.com/morphar/secretmessage">GitHub</a></li>
<li><a href="https://morphar.github.io/secretmessage/faq">FAQ</a></li>
<li><a href="https://morphar.github.io/secretmessage/about">About</a></li>
</ul>
</div>
</footer>
</body>
</html>